-
Notifications
You must be signed in to change notification settings - Fork 8
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
expires_in field ignored if string instead of int and access token is not renewed when expired #26
Comments
Thanks for the report! I would say that this kind of bug should be fixed on the Authorization Server side, not on the client, since the server does not respect RFC6749 $5.1 which specifies that
What AS implementation are you using? Did you report a bug there? However, I must admit that I had to read the specification twice because the part describing
... so it is easy to make a mistake if you don't read the specification thoroughly. The example however is an integer:
Since the client side fix is nice and clean, I would accept a PR if you submit one. Or I will include that same fix sooner or later. |
We utilize Google Cloud Apigee as our AS, and they set the We only just came across this issue when we started seeing random 401 errors, which we then traced it back to expired bearer access tokens. I then did some quick debugging and saw the I can try to put in a PR and try writing a test for it :) |
Oh I love when big corporations don't have the ressources to implement a simple, decade-old, standard properly... ^^ Since their Token Response is heavily customised with plenty of additionnal/non-standard fields (including class ApigeeBearerToken(BearerToken):
TOKEN_TYPE = "BearerToken"
# implement an __init__ that takes expires_in as a string, and optionally handles extra apigee attributes
class ApigeeClient(OAuth2Client):
token_class = ApigeeBearerToken
client = ApigeeClient("https://whatever.google.com") |
Made the changes here and opened PR #27. |
Also just saw your previous comment. So we're currently using the _oauth2_client = OAuth2Client(
token_endpoint=token_endpoint,
auth=(os.environ["CLIENT_ID"], os.environ["CLIENT_SECRET"]),
)
AUTH_CLIENT = OAuth2ClientCredentialsAuth(_oauth2_client) I guess making a separate Apigee client and bearer token class is doable, but the current implemented classes in the project are already enough, it was just |
Closing this, thanks again for the PR! |
requests_oauth2client
version: latestDescription
When the
expires_in
field in the token response is a string, theaccepts_expires_in
decorator ignores that field since it's not an int. Then the expires_at never gets set and passed to the BearerToken class, and the token is never renewed once it expires.eg.
What I Did
I was able to fix this locally by adding an additional check to the
accepts_expires_in
decorator inutils.py
.The second if checks if the
expires_in
is a string and then a valid int, otherwise it continues to the other checks.Source code to be changed: https://github.com/guillp/requests_oauth2client/blob/main/requests_oauth2client/utils.py#L68-L72
The text was updated successfully, but these errors were encountered: